Sponsored by..

Monday 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


6 comments:

Unknown said...

Just received a similar email with Order Confirmation-1115-2110458-20160817-076465 in the subject line. DO NOT OPEN THE ATTACHMENT!

Unknown said...

Me To
What can do that virus

Yan said...

Hi, so stupid that I downloaded and opened the file....
Already deleted it from my computer, any risk or any thing I should do now?

Unknown said...

I just received that same email and decided to do a Google search and found this helpful blog. Luckily I didn't open the attachment because I know I didnt use esab.co.uk services and just was worried someone had access to my CC.

Unknown said...

I just received this and will now delete Thanks

Unknown said...

the locky downloader is just a variant. The random number generator tries all kinds of e-mail combinations, and then pumps out an attachment with the changing serial number.

It appears to originate from india on ip 1.187.114.143, but that is only the forwarder's node. The IP embedded in the headers , 117.223.50.136, and is the source of the e-mail.

According to The Composite Block list, 117.223.5.136, This IP is infected with, or is NATting for a machine infected with Win32/Dorkbot , and was last detected on 2016-08-20 08:00 GMT +/- a half hour.

If you are in .ca , the sinkhole of spam wnts to know how many are being sent. so forward your spams to 'spam@fightspam.gc.ca ', and yes , they do 'win' once in a while, http://news.gc.ca/web/article-en.do?nid=1023419